AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a local web app/daemon for managing Claude sessions and optional remote pairing, with risky primitives tied to documented user workflows.
Decision evidence
public snapshot- dist/server.js defaults Claude SDK permissionMode to bypassPermissions for user-created sessions.
- dist/bin/orangetree.js can spawn a detached daemon and self-update via global npm install when user invokes update.
- dist/server.js can download a Newt tunnel binary from GitHub releases, but with pinned SHA256 hashes.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- README.md describes a local-first Orange Tree app that orchestrates the user's claude CLI.
- dist/bin/orangetree.js only starts/stops/status/updates the app daemon on explicit CLI invocation.
- dist/server.js binds local mode to 127.0.0.1 and gates remote mode with token or cloud-session auth.
- dist/server.js filesystem routes use root-jail/path checks for configured work roots.
- Network use is package-aligned: update checks, cloud pairing/auth/reporting, and optional tunnel acquisition.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/bin/orangetree.jsView on unpkg · L87A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/bin/orangetree.jsView on unpkg · L87Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/bin/orangetree.jsView on unpkg · L64